ensure-agents-md
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by reading project metadata from files like pom.xml and package.json and incorporating that data into a generated instruction file (AGENTS.md). This file is intended to guide subsequent AI agent interactions. If the project configuration is controlled by an attacker, they could inject malicious instructions into the AI's guidance system. \n
- Ingestion points: Metadata is extracted from the root pom.xml (project name, artifactId, and modules) and ui.frontend/package.json (dependency signatures). \n
- Boundary markers: The generated template lacks explicit delimiters or instructions to treat project-specific variables as untrusted data, allowing them to blend with the control instructions. \n
- Capability inventory: The skill is capable of reading the workspace directory structure and configuration files, and writing new markdown files to the repository root. \n
- Sanitization: No validation or sanitization is performed on the extracted strings beyond basic text formatting, leaving the skill vulnerable to instructions hidden within metadata fields.
Audit Metadata